It's always shocking to me how many people blindly sacrifice the principles that make the things their lives depend on actually worthwhile. The internet isn't just a thing that happened, it was developed and rolled out under specific principles and vision, and violating those principles destroys the system.
The internet doesn't work if Matthew Prince gets to act as global gatekeeper, or if CloudFlare gets conscripted as the new PRISM or NSA censorship and surveillance apparatus whether they want it or not. Given the profit incentives and intense pursuit of control, it's apparent (to me, at least) they're positioning themselves to profit off of the next big horsemen of the infocalypse opportunity.
Centralized control and gatekeeping of the internet, private or otherwise, should be shunned. Sacrificing that for walled garden features is despicable.
Don't shit in the village well, even if the guy selling bottled water says he'll get you a great deal. There are better ways of doing things.
Sure, I wouldn’t want the Linux foundation or other pieces of critical FOSS infrastructure to be routed via Cloudflair. But if I am setting up a web shop for somebody they usually care much more about someone at least pretending to be doing something about a ddos they got hit with that the decentralised internet.
To quote Raytheon “Morals are cool but 90k/year sounds a lot cooler”.
or if CloudFlare gets conscripted as the new PRISM or NSA censorship
PRISM and the NSA are not involved in censorship but they do like to ingest a lot of data, the more the merrier. Only certain members of CF would know if they are already looped in and would have signed scary things preventing disclosure if that were the case. I just assume everything going through a CDN is monitored since it is a MitM by design. A long while back Akamai got in a lot of trouble for some of their people selling data to a country in the middle east, I forgot which one.
The way the censorious game works in the Ministry of Truth a sub-committee in the DHS sends private messages to former federal employees that work in high positions at tech platforms and advises them what to censor giving the company a way to say they did not officially comply with censorship demands. I will let the Queen of the internet explain [1]. Letting federal employees message people outside of logged government chat platforms is problematic.
Use other services where necessary, and sparingly. Use only what's functionally necessary, and diversify. Encourage your employer or organization to avoid vendor lock. Don't ever meet with salespeople, stay in charge of your websites and infrastructure. Find a highly disagreeable technical engineer to tell you what you can get away with; you probably don't need the scale of the things CloudFlare, AWS, et al impose by default.
AI right now can do all of that for you; pay for the best initially, have it do deep searches that meet what you need, and find appropriate contractors and services. Drop down to the plus tier after you get what you need initially, if the $200+ versions are too steep, but you can absolutely afford one month to plan an overhaul that doesn't empty your wallet.
Mandate open standards and bake in flexibility to your organization; pivot frequently and aggressively away from companies and services that don't meet your principles or standards.
Wherever possible use self hosting, decentralized protocols, open standards, FOSS software, and pay for expertise over the massive overkill "but wait, there's more!" the conglomerators offer. Their economies of scale serve to consolidate unearned and unaccountable power, often in cooperation with very shady players.
Yeah, tragedy of the commons, this is why we can't have nice things, because it's hard, and complex, and actual evil people exist who will absolutely ddos sites and exploit every and any opportunity to grift people out of their money. Cloudflare is a well marketed bundle of solutions for real problems, but it's definitely not the only solution.
It's up to you to what extent you compromise on principles - with AI it's becoming much easier to find acceptable alternatives without having extensive domain expertise. Normal search engines are almost completely captured by SEO and big market players, and we have a window of opportunity to use new AI search to find things that defy the status quo. The window will probably close sometime in the near future, but until then, take full advantage and position yourself to not be subject to companies or industries that shouldn't be taking it upon themselves to gatekeep the internet.
Also, yell at your representatives about getting a digital bill of rights, protecting the open internet, breaking apart monopolies, and cultivating what's best for the internet, and the world.
We have to stop pissing away the good for the convenience of the cheap.
DDoS via AI bots doesn't have a straightforward solution at the individual level (Anubis-like solutions only neutralize the dumbest of bots). If you have a reference otherwise, I'd love to have it.
Digital bill of rights and enforcing laws already on the books, imposing requirements on ISPs to remove bad actors, and having governments and law enforcement agencies actually do the boring and tedious work of tracking these people down and shutting them down. Disconnecting ISPs from the rest of the internet when they cannot police themselves. Shutting down "VPN" services that harvest and abuse residential IP blocks of their users to evade detection while accepting money from bot herders, and other criminal activity that gets ignored.
We have sensible laws on the books, treaties, and all sorts of agreements with entities ranging from big corporations to ISPs to countries, but they aren't enforced. Just look at how long spam call centers have been an issue - if we start playing hardball and simply shutting off entire regions until providers and governments comply with basic enforcement, we can have a civilized internet.
These botnets are not magic. They're not subtle. They're not ultra-secure beyond the reach of mere mortals to do anything about.
They're allowed to persist for all sorts of reasons, ranging from utility to nation state level threat actors to local ISP corruption and bribery to simple laziness and incompetence.
From the top down, governments merely need to enforce the rules that are already in play. I guarantee if you disconnect large regions of India where many of these sorts of problems originate, the people there will convince their local officials to take appropriate action - and if that doesn't work, we don't need them on the internet anyway.
Same goes for any regional ISPs in the US, or Canada, or anywhere else in the world.
We have rules, let's try following them before we decide on mechanisms like CloudFlare or other centralized controls.
One thing I've grown concerned about, after watching the Twitter migration fizzle out, is we can imitate the old internet on a small scale, but on a large scale it just doesn't work. For Twitter specifically, the outcome was even worse, many users just migrated to other more centralized services or existing monopolies (like Instagram.)
Users are too used to being able to instantly stream 4k HDR 60fps. They are too used to limited amounts of spam. They are too used to having most non-agreeable content filtered. All of this stuff that big tech delivered now is replicate-able at the cost of tens of billions of dollars. The only business model that can pay for that is owning a giant ad platform.
Thinking about all of the issues the EU has had enforcing things like GDPR, which big tech companies largely haven't followed for years or straight up lied to their customers about, along with a possible failure of the DMA now due to tariffs.. and yet on the other side of the Atlantic, the US utterly failed to ban or control Tiktok. Endless announcements of upcoming deals that were either lies (Oracle protecting American's data) or postponements.
Meanwhile, all of the spam, hacking, bots, and DDoS attacks persist and grow, along with layer upon layer of (probably intentionally) poorly written and often conflicting legislation across multiple jurisdictions have truly made it impossible for the internet as it was designed and meant to exist to continue. (Sure you can just set up a basic web forum like you could do 20 years ago, not use Cloudflare, not host it at a major datacenter, and ignore all of the GDPR and age verification laws, but good luck. Hell, it doesn't even sound like it's really legal to run a Mastodon server anymore.)
One small hope is that if internet companies follow any pattern we've seen in other industries, when the growth ends, the managers will switch to tearing the conglomerates apart in to pieces and selling them off. One day CloudFlare might be split in to 30 pieces, along with Alphabet, Meta, and Amazon. But it could be a while.
The internet doesn't work if Matthew Prince gets to act as global gatekeeper, or if CloudFlare gets conscripted as the new PRISM or NSA censorship and surveillance apparatus whether they want it or not. Given the profit incentives and intense pursuit of control, it's apparent (to me, at least) they're positioning themselves to profit off of the next big horsemen of the infocalypse opportunity.
Centralized control and gatekeeping of the internet, private or otherwise, should be shunned. Sacrificing that for walled garden features is despicable.
Don't shit in the village well, even if the guy selling bottled water says he'll get you a great deal. There are better ways of doing things.